This article is more than 1 year old

Irony, thy name is SANS: 28k records nicked from infosec training org after staffer's email account phished

Names, email addresses, phone numbers, job titles, company names, country of residence etc. pinched

Updated Cybersecurity training organisation the SANS Institute suffered the loss of 28,000 items of personally identifiable information (PII) after a staffer's email account was accessed by malicious people.

SANS published some details of the breach on its website. One person was phished, leading to the compromise of their email account.

Data taken included names, email addresses, phone numbers, job titles, company names, postal addresses and country of residence. Around 28,000 items of data were taken.

In a statement on its website, SANS said: "Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised."

SANS digital forensics instructors are heading up the investigation into what went wrong, with the organisation adding: "We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community."

People whose data was nicked will be notified by email, said the organisation, which also invited people with questions to send them to to find out more.

A SANS staffer confirmed to The Register that the hackers harvested the data they accessed from attachments sent to the affected account and did not harvest information from its address book. We will update this article if we hear more.

Although the incident is embarrassing, and does heighten the risk of identity theft or fraud in the manner of any data breach, it goes to show that even security organisations are not immune from the common threats facing us all. ®

Updated to add

SANS got in touch to tell The Reg: "The compromised PII consisted of information of individuals who had recently registered for our virtual DFIR Summit and was intended for community outreach purposes. So this meant the data consisted of First name, Last name, Email, Work phone, company name, work address and country of residence – information that is largely available in publicly available databases. No customer records, no instructor records or other parties were impacted."

More about

More about

More about


Send us news

Other stories you might like